git: acfe37ddd77d - main - security/openvpn: remove 2048-bit legacy Diffie Hellman
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Wed, 20 Aug 2025 18:04:19 UTC
The branch main has been updated by mandree:
URL: https://cgit.FreeBSD.org/ports/commit/?id=acfe37ddd77db77a7858be8d46892fce3151498d
commit acfe37ddd77db77a7858be8d46892fce3151498d
Author: Matthias Andree <mandree@FreeBSD.org>
AuthorDate: 2025-08-20 17:47:38 +0000
Commit: Matthias Andree <mandree@FreeBSD.org>
CommitDate: 2025-08-20 18:01:45 +0000
security/openvpn: remove 2048-bit legacy Diffie Hellman
I received a fallout complaint from i386 FreeBSD 15-PRERELEASE
builders that, as of now, has no other explanation than a tightened
(if intermediately) SECLEVEL on that machine, and that's due to
Diffie-Hellman 2048 bit parameters, and self-tests are failing
with stereotypical "ee key too small" and "dh key too small".
While it's not clear what the exact cause of the failure is and
if we had a glitch in the OpenSSL 3.5.1 import (Enji updated
the main branch to 3.5.2 shortly after), let's modernize the
setup a bit.
Fallout and Builder logs (I take it the 2nd URL states
that the FreeBSD src branch was at commit c6778f3a442):
https://pkg-status.freebsd.org/beefy17/data/main-i386-default/p98b748365fe6_sc6778f3a442/logs/openvpn-2.6.14.log
https://pkg-status.freebsd.org/beefy17/build.html?mastername=main-i386-default&build=p98b748365fe6_sc6778f3a442
2025-08-20 11:46:39 OpenVPN 2.6.14 i386-portbld-freebsd15.0 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [MH/RECVDA] [AEAD] [DCO]
2025-08-20 11:46:39 Note: dev-type not tun, disabling data channel offload.
2025-08-20 11:46:39 library versions: OpenSSL 3.5.1 1 Jul 2025, LZO 2.10
2025-08-20 11:46:39 OpenVPN 2.6.14 i386-portbld-freebsd15.0 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [MH/RECVDA] [AEAD] [DCO]
2025-08-20 11:46:39 DCO version: FreeBSD 15.0-PRERELEASE 1500061
2025-08-20 11:46:39 library versions: OpenSSL 3.5.1 1 Jul 2025, LZO 2.10
2025-08-20 11:46:39 DCO version: FreeBSD 15.0-PRERELEASE 1500061
2025-08-20 11:46:39 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
2025-08-20 11:46:39 GDG: problem writing to routing socket: Invalid argument (errno=22)
2025-08-20 11:46:39 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
2025-08-20 11:46:39 OpenSSL: error:030000A8:digital envelope routines::unknown security bits:
2025-08-20 11:46:39 OpenSSL: error:0A00018A:SSL routines::dh key too small:
2025-08-20 11:46:39 SSL_CTX_set0_tmp_dh_pkey
2025-08-20 11:46:39 Exiting due to fatal error
2025-08-20 11:46:39 OpenSSL: error:030000A8:digital envelope routines::unknown security bits:
2025-08-20 11:46:39 OpenSSL: error:0A00018F:SSL routines::ee key too small:
2025-08-20 11:46:39 Cannot load inline certificate file
2025-08-20 11:46:39 Exiting due to fatal error
FAIL: t_cltsrv.sh
That prompted upstream to file a bug and the suggestion to strip
dh2048.pem from installing the demo file and sample configuration should
not affect existing setups, however, if someone would have used
the shipped dh2048.pem file, that would have to be regenerated with
openssl dhparam -out dh2048.pem 2048.
https://github.com/OpenVPN/openvpn/issues/819
https://gerrit.openvpn.net/c/openvpn/+/1145
Upstream changelog, as of v3 of the latter:
| Remove use of 'dh dh2048.pem' from sample configs, remove 'dh2048.pem' file
|
| Since commit bd9aa06feb41 (Jan 2015) OpenVPN has allowed to use
| '--dh none' to disable traditional Diffie Hellman, since more secure
| ECDH algorithms are available that do not use explicit DH parameters.
|
| If configured with a suffiently high securelevel (3+), or if running in
| FIPS mode, OpenSSL 3.5 will refuse 2048 bit DH files, making our tests
| fail.
|
| Thus, remove all the DH2048 stuff from our sample configs.
Obtained from: Gert Doering
While here, delete files/patch-src_plugins_auth-pam_auth-pam.c
because upstream (namely Antonio Quartulli) had fixed that omission
in v2.6-beta1 already (in 2022, as of OpenVPN's commit 0fed64a91d894b46).
Nobody has been able yet to reproduce the test failure other than by
forcing SECLEVEL=3, so let's just push this and see if we receive
pkg-fallout again next time i386 gets its ports built. Upstream
considers the patch necessary anyways, so let's not waste too much
time on testing on a dying system.
---
security/openvpn/Makefile | 3 ++-
.../patch-doc_man-sections_generic-options.rst | 4 ++--
.../files/patch-doc_tests_authentication-plugins.md | 11 +++++++++++
...tch-sample__sample-config-files__loopback-client | 13 -------------
...tch-sample__sample-config-files__loopback-server | 12 ++++++++++--
...patch-sample_sample-config-files_loopback-client | 13 +++++++++++++
.../patch-sample_sample-config-files_server.conf | 21 +++++++++++++++++++++
...lugins_keying-material-exporter-demo_server.ovpn | 11 +++++++++++
.../files/patch-src_plugins_auth-pam_auth-pam.c | 10 ----------
9 files changed, 70 insertions(+), 28 deletions(-)
diff --git a/security/openvpn/Makefile b/security/openvpn/Makefile
index c771eea03b22..7c44e64f7dba 100644
--- a/security/openvpn/Makefile
+++ b/security/openvpn/Makefile
@@ -1,6 +1,6 @@
PORTNAME= openvpn
DISTVERSION= 2.6.14
-PORTREVISION?= 0
+PORTREVISION?= 1
CATEGORIES= security net net-vpn
MASTER_SITES= https://swupdate.openvpn.org/community/releases/ \
https://build.openvpn.net/downloads/releases/ \
@@ -105,6 +105,7 @@ pre-everything::
.endif
post-patch:
+ ${RM} sample/sample-keys/dh2048.pem # no longer needed
${REINPLACE_CMD} -E -i '' -e 's/(user|group) nobody/\1 openvpn/' \
-e 's/"nobody"( after init)/"openvpn" \1/' \
${WRKSRC}/sample/sample-config-files/*.conf \
diff --git a/security/openvpn/files/patch-doc_man-sections_generic-options.rst b/security/openvpn/files/patch-doc_man-sections_generic-options.rst
index 295f20cd7f1f..28c93860b329 100644
--- a/security/openvpn/files/patch-doc_man-sections_generic-options.rst
+++ b/security/openvpn/files/patch-doc_man-sections_generic-options.rst
@@ -1,6 +1,6 @@
---- doc/man-sections/generic-options.rst.orig 2023-01-25 10:00:58 UTC
+--- doc/man-sections/generic-options.rst.orig 2025-04-02 06:53:10 UTC
+++ doc/man-sections/generic-options.rst
-@@ -507,5 +507,8 @@ which mode OpenVPN is configured as.
+@@ -514,5 +514,8 @@ --user user
since it is usually used by other system services already. Always
create a dedicated user for openvpn.
diff --git a/security/openvpn/files/patch-doc_tests_authentication-plugins.md b/security/openvpn/files/patch-doc_tests_authentication-plugins.md
new file mode 100644
index 000000000000..d680c64019f7
--- /dev/null
+++ b/security/openvpn/files/patch-doc_tests_authentication-plugins.md
@@ -0,0 +1,11 @@
+--- doc/tests/authentication-plugins.md.orig 2025-04-02 06:53:10 UTC
++++ doc/tests/authentication-plugins.md
+@@ -36,7 +36,7 @@ To build the needed authentication plug-in, run:
+ verb 4
+ dev tun
+ server 10.8.0.0 255.255.255.0
+- dh sample/sample-keys/dh2048.pem
++ dh none
+ ca sample/sample-keys/ca.crt
+ cert sample/sample-keys/server.crt
+ key sample/sample-keys/server.key
diff --git a/security/openvpn/files/patch-sample__sample-config-files__loopback-client b/security/openvpn/files/patch-sample__sample-config-files__loopback-client
deleted file mode 100644
index 0b485a641d8a..000000000000
--- a/security/openvpn/files/patch-sample__sample-config-files__loopback-client
+++ /dev/null
@@ -1,13 +0,0 @@
---- sample/sample-config-files/loopback-client.orig 2016-08-23 14:16:22 UTC
-+++ sample/sample-config-files/loopback-client
-@@ -9,8 +9,8 @@
- # ./openvpn --config sample-config-files/loopback-client (In one window)
- # ./openvpn --config sample-config-files/loopback-server (Simultaneously in another window)
-
--rport 16000
--lport 16001
-+rport 16100
-+lport 16101
- remote localhost
- local localhost
- dev null
diff --git a/security/openvpn/files/patch-sample__sample-config-files__loopback-server b/security/openvpn/files/patch-sample__sample-config-files__loopback-server
index 58691b133de7..3eac712d9054 100644
--- a/security/openvpn/files/patch-sample__sample-config-files__loopback-server
+++ b/security/openvpn/files/patch-sample__sample-config-files__loopback-server
@@ -1,6 +1,6 @@
---- sample/sample-config-files/loopback-server.orig 2016-08-23 14:16:22 UTC
+--- sample/sample-config-files/loopback-server.orig 2025-04-02 06:53:10 UTC
+++ sample/sample-config-files/loopback-server
-@@ -9,8 +9,8 @@
+@@ -9,15 +9,15 @@
# ./openvpn --config sample-config-files/loopback-client (In one window)
# ./openvpn --config sample-config-files/loopback-server (Simultaneously in another window)
@@ -11,3 +11,11 @@
remote localhost
local localhost
dev null
+ verb 3
+ reneg-sec 10
+ tls-server
+-dh sample-keys/dh2048.pem
++dh none
+ ca sample-keys/ca.crt
+ key sample-keys/server.key
+ cert sample-keys/server.crt
diff --git a/security/openvpn/files/patch-sample_sample-config-files_loopback-client b/security/openvpn/files/patch-sample_sample-config-files_loopback-client
new file mode 100644
index 000000000000..5726f12af605
--- /dev/null
+++ b/security/openvpn/files/patch-sample_sample-config-files_loopback-client
@@ -0,0 +1,13 @@
+--- sample/sample-config-files/loopback-client.orig 2025-04-02 06:53:10 UTC
++++ sample/sample-config-files/loopback-client
+@@ -12,8 +12,8 @@
+ # this config file has the crypto material (cert, key, ..) "inlined",
+ # while the "server" config has it as external reference - test both paths
+
+-rport 16000
+-lport 16001
++rport 16100
++lport 16101
+ remote localhost
+ local localhost
+ dev null
diff --git a/security/openvpn/files/patch-sample_sample-config-files_server.conf b/security/openvpn/files/patch-sample_sample-config-files_server.conf
new file mode 100644
index 000000000000..ba2194589405
--- /dev/null
+++ b/security/openvpn/files/patch-sample_sample-config-files_server.conf
@@ -0,0 +1,21 @@
+--- sample/sample-config-files/server.conf.orig 2025-04-02 06:53:10 UTC
++++ sample/sample-config-files/server.conf
+@@ -87,11 +87,6 @@ key server.key # This file should be kept secret
+ cert server.crt
+ key server.key # This file should be kept secret
+
+-# Diffie hellman parameters.
+-# Generate your own with:
+-# openssl dhparam -out dh2048.pem 2048
+-dh dh2048.pem
+-
+ # Allow to connect to really old OpenVPN versions
+ # without AEAD support (OpenVPN 2.3.x or older)
+ # This adds AES-256-CBC as fallback cipher and
+@@ -307,4 +302,4 @@ verb 3
+
+ # Notify the client that when the server restarts so it
+ # can automatically reconnect.
+-explicit-exit-notify 1
+\ No newline at end of file
++explicit-exit-notify 1
diff --git a/security/openvpn/files/patch-sample_sample-plugins_keying-material-exporter-demo_server.ovpn b/security/openvpn/files/patch-sample_sample-plugins_keying-material-exporter-demo_server.ovpn
new file mode 100644
index 000000000000..2ff14e611905
--- /dev/null
+++ b/security/openvpn/files/patch-sample_sample-plugins_keying-material-exporter-demo_server.ovpn
@@ -0,0 +1,11 @@
+--- sample/sample-plugins/keying-material-exporter-demo/server.ovpn.orig 2025-04-02 06:53:10 UTC
++++ sample/sample-plugins/keying-material-exporter-demo/server.ovpn
+@@ -8,7 +8,7 @@ key ../../sample-keys/server.key
+ ca ../../sample-keys/ca.crt
+ cert ../../sample-keys/server.crt
+ key ../../sample-keys/server.key
+-dh ../../sample-keys/dh2048.pem
++dh none
+
+ server 10.8.0.0 255.255.255.0
+ port 1194
diff --git a/security/openvpn/files/patch-src_plugins_auth-pam_auth-pam.c b/security/openvpn/files/patch-src_plugins_auth-pam_auth-pam.c
deleted file mode 100644
index 633bc0f0204d..000000000000
--- a/security/openvpn/files/patch-src_plugins_auth-pam_auth-pam.c
+++ /dev/null
@@ -1,10 +0,0 @@
---- src/plugins/auth-pam/auth-pam.c.orig 2021-06-21 04:44:39 UTC
-+++ src/plugins/auth-pam/auth-pam.c
-@@ -39,6 +39,7 @@
- #include <stdio.h>
- #include <string.h>
- #include <ctype.h>
-+#include <limits.h>
- #include <unistd.h>
- #include <stdlib.h>
- #include <sys/types.h>